Web-form-buddyWeb site forms processor

Don't let the bad guy's spam your web forms!

Getting to grips with form spam

Everyone is familiar with regular email spam: The bad guys get hold of your email address and the next thing you know your inbox is filling up with all kinds of junk. Web-form-buddy can help prevent that as it allows you to keep your email address completely excluded from your web pages (unlike many other form scripts where your email address has to be present in a hidden field in the source HTML and where hackers can easily harvest it!).

But web form spam is a slightly different problem. This is where you receive a large number of annoying "junk" form submissions, many of which contain irrelevant links. When this happens it's natural to think "why are they doing it? What do they hope to achieve"? Well, the bad guys might start to take an interest in your web forms for a couple of reasons:

  1. Because they are probing for vulnerabilities. They hope to hijack your mail server through your web form and use it to relay their spam. They hope to be able to do this by exploiting poorly written "home made" web form scripts (usually PHP scripts) . For more on this see our page on spam injection.
  2. They think they can get links to their spam sites published on your web pages.

Of course, just like regular email spam, most link spam is stupid - and you're going to think "who on earth falls for this stuff"? In particular you're going to wonder "just how do these idiots think that by completing my web forms with lots of junk they are ever going to benefit from it or get me to do anything that might help them in any way?". But there is a twisted, commercial logic behind modern-day form spam which runs like this:

  • Modern search engines such as Google rely heavily on inbound links to rank web pages in their index
  • Many web sites allow their visitors to publish content on their web pages through completion of a web form. The two most common cases are:
    • Comments posted on blogs
    • "Guest book" pages
  • So spammers create "bots" (automated web crawlers) to seek out and find pages with forms in the hope that they are of the type mentioned above.
  • When they find such a page the "bot" fills out the form and submits it, and typically the content will contain lots of links to spammy web sites.

Now to you or I this project might seem hopeless. There aren't many bloggers who will allow unmoderated comments to get posted on their site surely? And those that do are bound to set up some anti-spam filter (such as Akismet)! The same must surely be true of guest books? But of course spammers are not stupid. Far from it. They use highly automated systems with a scatter-gun approach. If it just gets a result in just one in one hundred thousand attempts, they can be on to a winner. The cost to them is negligible - but of course the aggravation you suffer can be extreme!

And this is the problem - these form spammers will waste your time with their junk form submissions. They don't care very much to distinguish between forms that can post comments on a blog or on a guest book from other kinds of form, such as simple contact forms. Why should they bother?

[ back to the top ]

Weapon 1: Test their patience with powerful form field validation

It's truly amazing how many forms are out their on the web with zero - absolute zilch - field validation! You hit the submit button - the form gets sent! Simple as that. That's meat and drink to these bad guy web bots of course.

With Web-form-buddy it's very easy to add lots of useful field validation to your form. There's no coding to do in the web page or in a script. You just pick out the fields in your form from your control panel, and you're done!

The beauty of field validation is that it does not hinder your genuine, "human" users. In fact it only helps them by prompting them if they have missed something on the form or made a typo. For example if you're asking for a telephone number and your user enters an invalid character, Web-form-buddy can pick up on that. The same goes for all kinds of fields such as email addresses, names, post codes and so on.

But this kind of thing drives all but the most clever "bots" nuts! It's very difficult for a web bot to figure out from the HTML source of your web page what kind of data a field must have to allow a form to be submitted. So this is one great way to eliminate significant amounts of form spam - and help your users to boot!

Some "bots" though are darn clever. So even this may not be enough. And that means it's time to get serious!

[ back to the top ]

Weapon 2: the data confirmation screen

Just like our first weapon, Web-form-buddy's data confirmation screen feature is worth having in itself - but as an additional bonus it fends off even the cleverest of automated submission robots.

What happens with this option is that Web-form-buddy displays a web page after the form has been completed which allows the sender to review and check their data entry. That's a nice feature and your human users will thank you for it. But if your bad guy's little web bot is over-heating already through having to figure out the field validation maze - this final step will blow it's fuse and scramble it's brain!

But just in case that little spam "bot" is not yet down and out - you've still got an ace up your sleeve with Web-form-buddy....

[ back to the top ]

Weapon 3: Nuke 'em with the big one - CAPTCHA

A CAPTCHA is a simple test that is easy for a human but well nigh impossible for a computer or "bot". You are bound to have run into these in your travels on the Internet (for example Google uses them when you sign up to their services). Typically you are presented with a few odd looking numbers and characters that you enter in a box before your form submission can be completed. The idea is that this is something only a human can do, but is impossible for an automated web crawler. In a recent development, Google has introduced a new, improved form of CAPTCHA that simply requires your user to click on a check box (which means it is extremely user-friendly). They call this "Invisible reCAPTCHA" or "No CAPTCHA reCAPTCHA".

With Web-form-buddy you have a choice of not just one, but three different types of CAPTCHA test:

  • Google's new No CAPTCHA reCAPTCHA: Users (i.e. "humans") are simply asked to confirm "I am not a robot". Most users will be able to securely and easily verify they are a human with just a single click instead of having to solve a CAPTCHA test. Google reCAPTCHA is not only a very powerful anti-spam device, but according to Google you are also helping with a public service - apparently it helps digitize text, annotate images, and build machine learning datasets, and this in turn helps preserve books, improve maps, and solve hard AI problems.
  • Regular CAPTCHA: the user has to type a few letters that are displayed on the screen to complete the form submission
  • Simple math CAPTCHA: a very easy arithmetic test e.g. "what is 6 + 3?"

It's true that CAPTCHA does not help your user. On the contrary it gives them an extra job to do. Having said that, the technique is so common now that most web users accept it. And arguably, although obliged to complete an extra step in the course of the form submission, your web user or customer will come away impressed with the professionalism of your web site!

[ back to the top ]

~ Get started with Web-form-buddy today - take the free 14 day trial! ~